"It started off when I was using gg docs and after closing 1 of my docs, I was returned to my 'doc home', however, someone else's email was reflected at the top instead of mine. It disappeared soon after before I could catch what was going on. (...) Lately, the google problem came up again. Nearly everytime I boot up my computer, and login to google toolbar or gmail, I began to notice that when I went further to click on other google services, e.g. gg reader, very often I went into someone else's reader. Not just their email id replacing mine at the top, it was literally someone's reader. I could read their feeds and so on. (...) The MOST SERIOUS thing so far is that you can accidentally made changes to other user's account while you think you are modifying your own. I realized that when I was making changes/adding items, like adding a bookmark, adding a feed into my reader, and adding notes to my notebook, adding gg gadgets to my igoogle, rearranging my igoogle layout, the changes all went to the other party, not mine, and hey this is scary!"

He also mentions that the users seem "to be originating from the same city, which is Singapore, and I suspect some of them are students, by browsing through the gg reader feeds presented to me, and supposingly 'my bookmarks'. (...) Not only did it appear in Singapore, those users seem to be from the same organization, which are local universities, 1 from NTU, and some may be from NUS, and fyi the 2 top universities in Singapore are located in the west of Singapore, and I am in the north-west, which is pretty near to each other."

Other Google user complains over at Google Groups: "Whenever I use Google Reader, I would 'cross-over' to another user's account."

And another one: "I've been login to other users today, seeing their feeds instead of mine. I login to gmail and google reader. While reading the feeds halfway I would see my feeds change into other user's [feeds], my account will also change to other google user account."

Other report from a regular reader of this blog: "While I was reading posts in Google Reader today, my account was switched to someone else's account. The account name on the upper right corner changed and I could see all his or her subscriptions in my Google Reader. I closed the Reader and open it again. Nice! I could read another person's subscriptions. I tried iGoogle and it was also changed."

It seems that this isn't an isolated incident and it may have something to do with Google cookies and Google Reader, but it's not very clear. If you had similar problems or you know what causes them, please let us know.

Update. Matt Cutts, from Google, posted this: "Given that most of these reports are coming from a single area (Singapore), it sounds like an ISP isn't handling their connections correctly. We've certainly seen ISPs mess up their proxies before. I'll still ask about this though."

Update 2. Jvy Loh writes: "Since last Saturday [July 22] after Google Reader was patched (need confirmation from Google whether the Google Reader or local ISP proxy/cache played a bigger part in this security problem), I have not noticed any more security glitches. Two other Singapore users who contacted me also reported no more security issues since then. So, we have enough reasons to think that the security issues related to what I have reported have been eliminated."

28 comments:

I had the same problem once in Google reader. I hit refresh, and it showed some different feeds. I refreshed the whole page, and it was someone else's account. After restarting Firefox, everything was back to normal. It was very odd.

I'm from Singapore too. I was using NUS network when I got the problem.

But, on my IE, I have a different account other than the one that encountered the problem. When I used that account, there was no problem at all, even at the same time when I was having the same problem in the other account in Firefox! I logged off the problematic account in Firefox and logged in with the account from IE, there was no problem. I logged in again with that problematic account (also in Firefox) then the problem came back again!!!!

I still don't know what had caused this problem. My testing with two accounts further confused the problem.

Given that most of these reports are coming from a single area (Singapore), it sounds like an ISP isn't handling their connections correctly. We've certainly seen ISPs mess up their proxies before. I'll still ask about this though.

Both the security team and the Google Reader team were already on it. Even though it's not on Google's side as near as we can tell, the Reader team are looking for a way to prevent faulty proxies/caching from affecting users.

This used to happen on my computer. I would log in to my "igoogle" back wen it was called Google Home Page and I would get my igoogle but with my girlfriends mail. She had the same problem. I wrote google but they didn't help except told to be sure we logged out

i don't use google's service as much. But i notice that google updated their toolbar. If those ppl who's been having problem also have google toolbar install, it might have been it. Cause the new google toolbar can keep track of whether you're logged on or not. and also retrieve your unread mail and show on the toolbar. Seems to be a very likely chance.

I actually had a response from the relevant team from Google on July 20th; it's my fault for being so tardy on posting this. But here's what they had to say:

"We had an isolated bug in our interaction with a proxy server in Singapore, and we've reached out to the local ISP to straighten this out. The Google Reader team has already pushed a fix; we will take steps on our side to prevent this from happening again. If you see any more instances, please contact us here: http://www.google.com/support/accounts/bin/request.py?contact_type=general&ctx=reader "

I believe that the Reader team took steps to prevent this from happening on the same day that the issue occurred. Sorry again for taking so long to post the official comment from Google.

The issue is still ON and we (The affected users) has come together in an email loop and included Philipp (Blogoscoped). Philipp has a post on the issue here: http://blogoscoped.com/archive/2009-05-19-n84.html